The Dim-Post

August 29, 2014

How most people get hacked

Filed under: Uncategorized — danylmc @ 9:13 am

Chris Trotter writes about hackers

LISBETH SALANDER is the archetypal hacker: a damaged outsider; phenomenally clever; contemptuous of society’s rules; but possessed of an unflinching, if somewhat quirky, sense of right and wrong. Without Lisbeth, the journalist hero of Stieg Larsen’sThe Girl With The Dragon Tattoo, Mikael Blomkvist, could never have brought the guilty to justice. In a world of mendacious millionaires, giant corporations and impenetrable public bureaucracies, the hacker provides the only credible means of moving the plot forward.

 In mythic terms, Lisbeth is Ariadne, the Cretan princess whose precious linking threads allow the Greek hero, Theseus, to find his way through the impossibly complex Labyrinth and destroy the Minotaur – the monstrous, bull-headed man who dwells in its depths.

Maybe whoever hacked Cameron Slater is a Salander/Ariadne-like computer hacker, but most people carrying out this sort of activity have minimal technical skills. Here’s what usually happens: 

  1. You set up your accounts with gmail, facebook etc, all of which are password protected. 
  2. You set up an account at, say, Adobe, to download acrobat reader, or Apple or Ebay to buy stuff, and use the same password as your gmail and facebook account
  3. Ebay, or Adobe, or some other entity with your account credentials gets hacked. 
  4. The hackers post the list of account credentials online where anyone can download them
  5. Someone decides they want to hack you. They download a bunch of these lists, find your name, use free, publicly available, easy to use software to crack your password and then try logging onto your gmail account. Since the passwords are the same across both accounts they succeed. 

Obviously the people hacking the Apple database are technically skilled, But Slater’s email and Facebook could, in theory, have been hacked by anyone with the ability to download a couple torrent files. 

The way to prevent this happening are: 

  1. Change your passwords on your important accounts. Use different passwords. 
  2. Set up two-step verification on your gmail so that only certain computers can access your account. 

19 Comments »

  1. I use two-step verification via a mobile phone app, similar to a RSA token, for my gmail.

    Comment by Sanctuary — August 29, 2014 @ 9:39 am

  2. When’s the next release then eh Danyl-I-mean-Whaledump?

    Comment by pete — August 29, 2014 @ 9:59 am

  3. When a global website gets hacked, they dont get your password at all. Raw passwords are never stored by sites, they have the ‘hashed’ version, or scrambled version.
    Most sites use two identifiers when you log in, say email address and password, the hashed version combines these two, just to make dictionary lookups of hashed versions much more difficult. While you may use the same password if you use a different logon id then the hashed versions will be different. If you have a nonsensical password and vary your id its pretty difficult to try and unscramble your hash when there are easy ones by the thousands. They maybe a few details here that are out of date as its a constantly moving story

    Its highly likely that theOily Orca was hacked on his home network, through social engineering approach via his wife and teenage kids.

    Comment by ghostwhowalksnz — August 29, 2014 @ 10:50 am

  4. @ghostwhowalksnz

    Re-read Danyl’s point 5 (and the Ars Technica link – which describes how a journalist, and password cracking virgin, was able to crack 60% of 14,000 strong hashed list in a few hours).

    Comment by Wireframe — August 29, 2014 @ 11:12 am

  5. ‘Raw passwords are never stored by sites, they have the ‘hashed’ version’

    Well. They never *should* store raw passwords. But….

    Comment by xy — August 29, 2014 @ 12:33 pm

  6. “They never *should* store raw passwords. But….”

    …the number of times I’ve had some random website send me my clear-text password in an email (as in, a password that I gave it) is mildly disturbing. There must be more than a few services out there which have badly engineered protection of people’s passwords and info.

    Comment by izogi — August 29, 2014 @ 12:49 pm

  7. izogi, I hate that too. I use 1-password so generate random passwords for everything, but I still pray that they’re merely forwarding the form input you gave them, rather than not hashing their passwords. Some site, especially e-commerce with older audiences, find they have to do this.

    Comment by Chris Bull — August 29, 2014 @ 1:58 pm

  8. http://plaintextoffenders.com lists some sites to avoid.

    Comment by BenM — August 29, 2014 @ 1:58 pm

  9. Or be aware that an email is like a postcard that anyone can turn over and read, so write them accordingly

    Comment by rayinnz — August 29, 2014 @ 3:26 pm

  10. 15 years ago I worked for a company running a website that stored passwords as plaintext, alongside a hint to remind the user what the password might be.

    While debugging the login process at one stage I noticed one where the hint was “Same as your mail password dummy”, and yes, they’d provided their email address.

    Comment by Marko — August 29, 2014 @ 3:49 pm

  11. Vintage Trotter – thinking he knows about how cybercrime works because he read a novel about it, and throwing in pretentious classical allusions. Besides, everybody knows that Lisbeth is based off Pippi Longstocking, not Ariadne.

    Comment by kalvarnsen — August 29, 2014 @ 7:48 pm

  12. everybody knows that Lisbeth is based off Pippi Longstocking, not Ariadne.

    And Peter Dunne is based on Rumpelstiltskin. No female journalist on the upcurve of her career is ever likely to mistake him for a Tolkienesque wizard.

    Comment by Joe W — August 29, 2014 @ 9:09 pm

  13. Interesting – because if you run whaleoil@whaleoil.co.nz or camslater@gmail.com through a site like pwnedlist.com you find that they were compromised in a previous mass breach.

    But then, if you don’t change your password after made public on the internet, and you leave your email on gmail, presumably you are inviting people to have a look at the content of your inbox?

    Comment by B — August 29, 2014 @ 9:13 pm

  14. There is also the possibility someone close to him had physical access to his machine, wouldn’t it be ironic if he had just left the door open.

    Comment by michael — August 30, 2014 @ 9:52 am

  15. Easier still, just forward on an email in a timely manner.

    Comment by NeilM — August 30, 2014 @ 7:56 pm

  16. Can somebody who uses twitter post celine dion my heart will go on as a tribute to judith collins.

    Comment by troll — August 30, 2014 @ 8:13 pm

  17. #cicerowned

    Comment by SHG — September 1, 2014 @ 3:39 pm

  18. I wouldn’t be surprised if the hacking methods were as simple as you say, but I suspect rawshark is a lot more savvy than you give him credit for simply because no one knows who he is yet. It takes a lot of doing to do what he’s doing and stay anonymous from state power.

    Comment by anon — September 5, 2014 @ 5:32 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: